Wipfli LLP - CPAs and Consultants
Affiliates Contact Us Careers Events About Wipfli
 
subscribe
Rate Content

 
View all Financial Institutions articles

Safeguarding Customer Information through Proper Risk Assessment
April 01, 2005

Note: This is the third article in a four-part series on protecting financial institution customer information. The first two articles, "Safeguarding Customer Information through an Information Technology Examination and Vulnerability Testing" and “Safeguarding Customer Information through a Compliant Information Security Program," are available in the Financial Institutions industry archive.

Information security. It’s what allows every financial institution to meet its business objectives while properly serving its customers and maintaining their trust. Therefore, it’s crucial that financial institutions establish a security process to protect the confidentiality, integrity, and availability of its information systems and data, and a successful process depends on a comprehensive risk management plan designed to identify, measure, and control risks.

Evaluating the risks associated with safeguarding customer information is an important undertaking and a key driver of the information security process. It encompasses the breadth and width of a financial institution’s IT capabilities, as well as all physical and operational touchpoints. Before embarking on a security risk assessment, an organization should ensure that the assessment will adequately consider potential risks in all business lines, at every operational level, and across all risk categories.

Elements of an effective risk assessment

To be sure, an initial risk assessment will require a significant one-time effort. Subsequent assessments will be less involved and should become an ongoing part of any successful security program.

Addressing a set of key questions can help shape an effective risk assessment and allow an organization to recognize the full extent of risks wherever they may exist. These questions are fundamental to the initial risk assessment process.

What are we trying to protect? Risk assessment starts with gathering key information about which assets the financial institution must try to protect. Like taking an inventory, the process painstakingly identifies all of the information system assets, whether physical or operational, internal or external.

What are we afraid will happen? Next, a good assessment should determine the possible threats to the identified assets. The effort to identify threats should cover every conceivable scenario, from disgruntled employees who might attempt to sabotage the financial institution, to accidents resulting from inadequate control to natural disasters and power failures.

How do we currently prevent threats from occurring? Every financial institution has measures in place to protect information. This stage of the process should document all of a financial institution’s existing controls and current security processes.

How might possible threats still occur? Despite any controls and security measures that are in place, a financial institution may still face hazards. It’s important to explicitly identify any and all organizational and technical vulnerabilities that could expose a financial institution to potential risk. This could encompass a variety of elements including ineffective training programs, weak management support, poor network configurations, or software/hardware vulnerabilities, to name a few.

What is the likelihood that threats will occur? Conducting a probability analysis is crucial to a quality risk assessment. Once all the necessary asset information has been gathered, it can then be plotted out according to the type of threat that might occur, as well as ranked by the likelihood that such threats could occur against the system or data.

What would the impact be if such threats occurred? Ranking the impact of an event or threat on the institution is information that’s vital to getting the financial institution one step closer to measuring threats and the resulting consequences.

What is the level of risk relative to other risks? A qualitative risk analysis ranks outcomes and probabilities and prioritizes risks, allowing the financial institution to weigh its options and determine actions accordingly. By categorizing the risks, management can decide whether they meet their security requirement thresholds and thus can accept risks or take active steps to mitigate them either immediately or partially over time.

A thorough assessment plotted into a risk matrix using the above questions as guidance gives the financial institution a complete picture of its exposure. Remediation planning can then begin to identify control solutions; estimate risk reduction, costs, and the effort required to implement controls, and determine the appropriate strategy for effective mitigation.

The final article in this four-part series explores the requirements of creating an information security policy.